Comment on page

# Signatures

Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key
$sk$
, and the public key is the spending public key
$\text{PK}$
.
Spelled out, signing takes as input a message hash
$m$
and proceeds as follows:
1. 1.
$h \leftarrow \text{SHA512}(sk)$
2. 2.
$s \leftarrow h[0:32]$
(derive the signing secret key from the spending key)
3. 3.
$x \leftarrow h[32:64]$
(extract 32 bytes of entropy from the spending key)
4. 4.
$v \leftarrow \text{randomBytes}(32)$
(sample another 32 random bytes)
5. 5.
$n \leftarrow \text{SHA512}(x\ ||\ v\ ||\ m) \mod r \in \mathbb{F_r}$
("reduce" hash output into
$\mathbb{F}_r$
, using extra entropy from
$sk$
6. 6.
$R \leftarrow n \times G$
(the rest is a "standard" Schnorr signature)
7. 7.
$c \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$
8. 8.
$z \leftarrow n - \text{sk} \cdot c$
9. 9.
The signature is the pair
$(c, z)$
To verify, we take as input the message
$m$
and signature
$(c, z)$
and do the following (this is the standard verification procedure):
1. 1.
$Z \leftarrow z \times G$
2. 2.
$P \leftarrow c \times \text{PK}$
3. 3.
$R \leftarrow Z + P$
4. 4.
$cp \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$
5. 5.
Accept the signature if
$cp = c$
. Reject it otherwise.

### Security Requirements

The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).

### Security Argument

Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:
1. 1.
Poseidon is a random oracle
2. 2.
The discrete log problem is infeasible in Baby Jubjub